[c-nsp] PIX questions

Raul Lopez Nevot r.nevot at gmail.com
Wed May 14 08:58:55 EDT 2008


I'm sure you can have identity nat for two machines and PAT for others.

You must combine static commands with alias commands:
static (dmz,outside) publicip privateip netmask 255.255.255.255
alias (outside) privateip publicip 255.255.255.255

and then you can goal PAT for other addresses with nat and access-list commands:

access-list rest-of-machines permit ip host privateip2 any
nat (dmz) 10 access-list rest-of-machines
global (outside) 10 (ip for PAT or interface)

It's always a good practice to control nat commands with access-lists
and avoid the nat (interface) group IP mask, because you can have more
granularity on how to NAT/PAT connections

On Mon, May 12, 2008 at 9:31 PM, Gregori Parker
<Gregori.Parker at theplatform.com> wrote:
> The alias command still seems usable in 7.2, but I tried this in my
> scenario and it didn't affect anything (also tried the 'dns doctoring'
> and 'hairpinning' solutions)
>


More information about the cisco-nsp mailing list